Source code

001/*
002 * oauth2-oidc-sdk
003 *
004 * Copyright 2012-2016, Connect2id Ltd and contributors.
005 *
006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
007 * this file except in compliance with the License. You may obtain a copy of the
008 * License at
009 *
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software distributed
013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
015 * specific language governing permissions and limitations under the License.
016 */
017
018package com.nimbusds.oauth2.sdk.auth.verifier;
019
020
021import java.security.PublicKey;
022import java.util.List;
023
024import com.nimbusds.jose.JWSHeader;
025import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
026import com.nimbusds.oauth2.sdk.auth.SelfSignedTLSClientAuthentication;
027import com.nimbusds.oauth2.sdk.auth.Secret;
028import com.nimbusds.oauth2.sdk.id.ClientID;
029
030
031/**
032 * Selector of client credential candidates for client authentication
033 * verification. The select methods should typically return a single candidate,
034 * but may also return multiple in case the client rotates its keys.
035 *
036 * <p>Implementations must be tread-safe.
037 *
038 * <p>Selection of {@link com.nimbusds.oauth2.sdk.auth.ClientSecretBasic
039 * client_secret_basic}, {@link com.nimbusds.oauth2.sdk.auth.ClientSecretPost
040 * client_secret_post} and {@link com.nimbusds.oauth2.sdk.auth.ClientSecretJWT
041 * client_secret_jwt} secrets is handled by the {@link #selectClientSecrets}
042 * method.
043 *
044 * <p>Selection of {@link com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT
045 * private_key_jwt} and
046 * {@link SelfSignedTLSClientAuthentication pub_key_tls_client_auth}
047 * keys is handled by the {@link #selectPublicKeys} method.
048 *
049 * <p>The generic {@link Context context object} may be used to return
050 * {@link com.nimbusds.oauth2.sdk.client.ClientMetadata client metadata} or
051 * other information to the caller.
052 */
053public interface ClientCredentialsSelector<T> {
054
055
056        /**
057         * Selects one or more client secret candidates for
058         * {@link com.nimbusds.oauth2.sdk.auth.ClientSecretBasic client_secret_basic},
059         * {@link com.nimbusds.oauth2.sdk.auth.ClientSecretPost client_secret_post} and
060         * {@link com.nimbusds.oauth2.sdk.auth.ClientSecretJWT client_secret_jwt}
061         * authentication.
062         *
063         * @param claimedClientID The client identifier (to be verified). Not
064         *                        {@code null}.
065         * @param authMethod      The client authentication method. Not
066         *                        {@code null}.
067         * @param context         Additional context. May be {@code null}.
068         *
069         * @return The selected client secret candidates, empty list if none.
070         *
071         * @throws InvalidClientException If the client is invalid.
072         */
073        List<Secret> selectClientSecrets(final ClientID claimedClientID,
074                                         final ClientAuthenticationMethod authMethod,
075                                         final Context<T> context)
076                throws InvalidClientException;
077
078
079        /**
080         * Selects one or more public key candidates (e.g. RSA or EC) for
081         * {@link com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT private_key_jwt}
082         * and {@link SelfSignedTLSClientAuthentication
083         * pub_key_tls_client_auth} authentication.
084         *
085         * @param claimedClientID The client identifier (to be verified). Not
086         *                        {@code null}.
087         * @param authMethod      The client authentication method. Not
088         *                        {@code null}.
089         * @param jwsHeader       The JWS header, which may contain parameters
090         *                        such as key ID to facilitate the key
091         *                        selection. {@code null} for TLS client
092         *                        authentication.
093         * @param forceRefresh    {@code true} to force refresh of the JWK set
094         *                        (for a remote JWK set referenced by URL).
095         * @param context         Additional context. May be {@code null}.
096         *
097         * @return The selected public key candidates, empty list if none.
098         *
099         * @throws InvalidClientException If the client is invalid.
100         */
101        List<? extends PublicKey> selectPublicKeys(final ClientID claimedClientID,
102                                                   final ClientAuthenticationMethod authMethod,
103                                                   final JWSHeader jwsHeader,
104                                                   final boolean forceRefresh,
105                                                   final Context<T> context)
106                throws InvalidClientException;
107}